“TWEAK: Complete the review and removal of calls to the unserialize() PHP function allowing class instantiation begun in 1.24.7. (The final removal involved a theoretical security defect, if your development site allowed an attacker to post content to it which you migrated to another site, and which contained customised code that could perform destructive actions which the attacker knew about, prior to you then cloning the site. The result of this removal is that some search-replaces, highly unlikely to be encountered in practice, will be skipped).”
Updraft Plus Vulnerability Patched
Users are recommended to consider updating their installations of Updraft Plus to the latest version, 1.24.12. All versions prior to the latest version are vulnerable.
Read the Wordfence advisory:
UpdraftPlus: WP Backup & Migration Plugin <= 1.24.11 – Unauthenticated PHP Object Injection
Featured Image by Shutterstock/Tithi Luadthong